Solved

Ensuring all VLANs/subnets are covered in VA & industry practices

Posted on 2016-10-06
5
36 Views
Last Modified: 2016-11-07
Q1
As governance/compliance person, I'm often not being updated by network teams when
new VLANs / subnets are being created.  Network diagram may not be updated timely too.
What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

Q2
For Cisco switches/routers, is there a way to automatically configure something to obtain
output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or
TACACS+ do this?

Q3
For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only
servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?
0
Comment
Question by:sunhux
  • 3
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41831520
We have both Cisco & Nexus switches/routers, so do provide the commands
0
 

Author Comment

by:sunhux
ID: 41831526
This whole thing arises from auditor: how do we ensure and show evidence
that all network segments are scanned (& he meant the relevant segments)
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41831794
As governance/compliance person, I'm often not being updated by network teams when new VLANs / subnets are being created.  Network diagram may not be updated timely too. What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

I think it would be better to look at the routing table to see if new routes were installed. Take a snapshot and then run a compare from time to time. The core switch would be the best place to look it up. I wouldn't look at the VLANs because not all of them might exist on that switch.
Edit: Forgot to mention this. It also depends on your internal routing protocol. For EIGRP, this would work no problem. For OSPF, I would get a routing table from each ASBR as the routes are usually summarized when they cross area boundaries.

For Cisco switches/routers, is there a way to automatically configure something to obtain output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or TACACS+ do this?

Look up Cisco Embedded Event Manager (EEM). There are applets for what you want. Might require a bit of scripting.

For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?

Not sure what you are asking here. Can you please elaborate? What is VA, UAT?
0
 

Author Comment

by:sunhux
ID: 41832853
VA = Vulnerability Assessment
Some VA tools are like Nessus, McAfee Vulnerability Manager

UAT = a User Acceptance Test (ie a test server)
0
 
LVL 13

Assisted Solution

by:SIM50
SIM50 earned 500 total points
ID: 41833522
I do network security designs and implementations so systems and policies are not really my forte. From my experience though, vulnerability scanning depends on the corporate policy and the compliance standard a company falls under. Like for PCI, you should scan all devices that fall in the scope. Scanning the rest depends on the policy but usually you scan all internet facing and important servers (AD, DBs, etc) and devices.

Management VLAN should be locked down to access only from certain PCs and ideally those PC's should be scanned.

User PC's usually fall under one departmental or company management policy from AD GPOs and WSUS. You can take a sample of PCs and scan them. The results should be similar.

For DR, it depends what kind of DR. Does it have live data for hot failover? If yes then it falls under the same scanning policy as production. If it's warm DR than you need to scan storage devices with the backup data.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now